CVE-2026-27944 CRITICAL

CVE-2026-27944: Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure

Vendor 0Xjacky

Product nginx-ui

Weakness CWE-311 · Missing encryption

Published March 5, 2026

Last update March 19, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Key dates

Disclosure timeline

March 5, 2026 CVE published

March 19, 2026 Record updated